Highly Dangerous Zero-day Windows Trojan Targets Espionage

There is a new vicious rootkit-level malware infection targeting critical infrastructure and aimed at corporate or government espionage. It often enters the enterprise through USB sticks. Finnish security company F-Secure advised that the current malware is very dangerous and poses, “a risk of virus epidemic at the current moment.” F-Secure further warns that this is an espionage attack using LNK (*.LNK) shortcut files.  All Windows operating systems are vulnerable, even Windows 7, though F-Secure says it has added detection modules for these rootkits to its own anti-malware products. Problem is, once it added the detection module, it started discovering infections all over the world, and the hole that the virus exploits remains unfixed. Because this is a rootkit infection, the virus bypasses security mechanisms. From regular Joes to enterprises, this spy rootkit is in the wild and spreading infection.

Like hackers sniffing out sweets and set loose in a candy store, the very dangerous threat may prove too juicy of a target not to be widely exploited. The data stealing malware in the wild is meant to infiltrate systems, weaponized software aimed at critical infrastructure systems, perhaps with the magnitude of destruction that security researchers have warned is coming for years.

VirusBlokAda, an anti-virus company based in Belarus, discovered the malicious software that piggybacks on USB storage devices and exploits the way Windows processes shortcut files.  Although it’s mainly being distributed by USB drives, it can also be transferred over shared networks when a user browses affected shortcuts in removable media or WebDAV share. It doesn’t require administrative privilege to run. In an enterprise environment, users often execute files from network shares as standard operations and many organizations rely on SharePoint.

Sophos senior technology consultant Graham Cluley said, “This waltzes around autorun disable. Simply viewing the icon will run the malware.” Windows Explorer executes the malicious file, a rootkit and a dropper, even if the location of the shortcut is simply browsed to, allowing the process to execute as if retrieving an icon. The malware hides itself immediately after the system has been infected by using drivers digitally signed by Realtek Semiconductor Corporation.

Microsoft released a security advisory, publicly addressing this Windows Shell vulnerability. It’s a serious enough threat that Microsoft urges anyone who believes to have been affected “to contact the national law enforcement agency in their country.” Microsoft Malware Protection Center wrote, “Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors taking advantage of this technique.”

Microsoft has offered suggested workarounds. Though some security experts believe that the workarounds, which require disabling certain services, may cause an enterprise a lot of trouble, particularly for SharePoint users.

Independent researcher Frank Boldewin discovered that the malware targets SCADA control systems used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems. Boldewin wrote, “Looks like this malware was made for espionage.”

Why would someone want to infiltrate a SCADA system? According to Wesley McGrew, “There may be money in it. Maybe you take over a SCADA system and you hold it hostage for money.”

According to Krebs on Security, Jerry Bryant, a group manager of response communications at Microsoft stated that “When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem.”

Although right now the attacks seem targeted, the attempt to infect new machines has increased. MMPC blogged, “In addition to these attack attempts, about 13% of the detections we’ve witnessed appear to be email exchange or downloads of sample files from hacker sites.  Some of these detections have been picked up in packages that supposedly contain game cheats (judging by the name of the file).”

While security researchers are making educated guesses that this trojan was made for espionage, worms that use USB propagation vector may be best suited to attack isolated or air-gapped systems. If you recall, the DoD found this out in late 2008 before banning thumb drives, CDs, flash media cards, and all other removable data storage devices to prevent a worm assault from spreading any further in its network.

Although NSA spokeswoman Judith Emmel, denied there is any monitoring activities on utility companies and called on the public to trust the NSA’s adherence to the law, will this new vicious malware aimed at utilities and factories and power plants issue broader allowances for NSA’s Perfect Citizen?

MMPC writes, “We have multiple signatures that detect this threat for customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform. In addition to using antimalware technology, MSRC has released an advisory with work-around details.”